feat(user): Use super users to replace root user (#601)

runkecheng · web-flow · commit 226f07fce5f6 · 2022-07-18T18:04:52.000+08:00
fix: #592
diff --git a/api/v1alpha1/mysqlcluster_types.go b/api/v1alpha1/mysqlcluster_types.go
@@ -97,23 +97,26 @@ type MysqlClusterSpec struct {
 	// +kubebuilder:default:=6
 	BackupScheduleJobsHistoryLimit *int `json:"backupScheduleJobsHistoryLimit,omitempty"`
 
-	// Containing CA (ca.crt) and server cert (tls.crt) ,server private key (tls.key) for SSL
-	//+optional
+	// Containing CA (ca.crt) and server cert (tls.crt), server private key (tls.key) for SSL
+	// +optional
 	TlsSecretName string `json:"tlsSecretName,omitempty"`
 }
 
 // MysqlOpts defines the options of MySQL container.
 type MysqlOpts struct {
+	// Unchangeable: Use super users instead
 	// Password for the root user, can be empty or 8~32 characters long.
 	// Only be a combination of uppercase letters, lowercase letters, numbers or special characters.
 	// Special characters are supported: @#$%^&*_+-=.
 	// +optional
 	// +kubebuilder:default:=""
-	// +kubebuilder:validation:Pattern="^$|^[A-Za-z0-9@#$%^&*_+\\-=]{8,32}$"
+	// +kubebuilder:validation:Enum=""
 	RootPassword string `json:"rootPassword,omitempty"`
 
+	// Unchangeable: Use super users instead.
 	// The root user's host.
 	// +optional
+	// +kubebuilder:validation:Enum=localhost
 	// +kubebuilder:default:="localhost"
 	RootHost string `json:"rootHost,omitempty"`
 
diff --git a/charts/mysql-operator/crds/mysql.radondb.com_mysqlclusters.yaml b/charts/mysql-operator/crds/mysql.radondb.com_mysqlclusters.yaml
@@ -205,15 +205,19 @@ spec:
                     type: object
                   rootHost:
                     default: localhost
-                    description: The root user's host.
+                    description: 'Unchangeable: Use super users instead. The root
+                      user''s host.'
+                    enum:
+                    - localhost
                     type: string
                   rootPassword:
                     default: ""
-                    description: 'Password for the root user, can be empty or 8~32
-                      characters long. Only be a combination of uppercase letters,
-                      lowercase letters, numbers or special characters. Special characters
-                      are supported: @#$%^&*_+-=.'
-                    pattern: ^$|^[A-Za-z0-9@#$%^&*_+\-=]{8,32}$
+                    description: 'Unchangeable: Use super users instead Password for
+                      the root user, can be empty or 8~32 characters long. Only be
+                      a combination of uppercase letters, lowercase letters, numbers
+                      or special characters. Special characters are supported: @#$%^&*_+-=.'
+                    enum:
+                    - ""
                     type: string
                   user:
                     default: radondb_usr
@@ -1265,7 +1269,7 @@ spec:
                   path.
                 type: string
               tlsSecretName:
-                description: Containing CA (ca.crt) and server cert (tls.crt) ,server
+                description: Containing CA (ca.crt) and server cert (tls.crt), server
                   private key (tls.key) for SSL
                 type: string
               xenonOpts:
diff --git a/config/crd/bases/mysql.radondb.com_mysqlclusters.yaml b/config/crd/bases/mysql.radondb.com_mysqlclusters.yaml
@@ -205,15 +205,19 @@ spec:
                     type: object
                   rootHost:
                     default: localhost
-                    description: The root user's host.
+                    description: 'Unchangeable: Use super users instead. The root
+                      user''s host.'
+                    enum:
+                    - localhost
                     type: string
                   rootPassword:
                     default: ""
-                    description: 'Password for the root user, can be empty or 8~32
-                      characters long. Only be a combination of uppercase letters,
-                      lowercase letters, numbers or special characters. Special characters
-                      are supported: @#$%^&*_+-=.'
-                    pattern: ^$|^[A-Za-z0-9@#$%^&*_+\-=]{8,32}$
+                    description: 'Unchangeable: Use super users instead Password for
+                      the root user, can be empty or 8~32 characters long. Only be
+                      a combination of uppercase letters, lowercase letters, numbers
+                      or special characters. Special characters are supported: @#$%^&*_+-=.'
+                    enum:
+                    - ""
                     type: string
                   user:
                     default: radondb_usr
@@ -1265,7 +1269,7 @@ spec:
                   path.
                 type: string
               tlsSecretName:
-                description: Containing CA (ca.crt) and server cert (tls.crt) ,server
+                description: Containing CA (ca.crt) and server cert (tls.crt), server
                   private key (tls.key) for SSL
                 type: string
               xenonOpts:
diff --git a/config/samples/mysql_v1alpha1_mysqlcluster.yaml b/config/samples/mysql_v1alpha1_mysqlcluster.yaml
@@ -18,8 +18,6 @@ spec:
   # such as nfsServerAddress: "10.233.55.172"
   # nfsServerAddress: 
   mysqlOpts:
-    rootPassword: "RadonDB@123"
-    rootHost: localhost
     user: radondb_usr
     password: RadonDB@123
     database: radondb
diff --git a/config/samples/mysql_v1alpha1_mysqlcluster_mysql8.yaml b/config/samples/mysql_v1alpha1_mysqlcluster_mysql8.yaml
@@ -14,8 +14,6 @@ spec:
   # restoreFrom: 
   
   mysqlOpts:
-    rootPassword: "RadonDB@123"
-    rootHost: localhost
     user: radondb_usr
     password: RadonDB@123
     database: radondb
diff --git a/config/samples/mysql_v1alpha1_mysqlcluster_podAntiAffinity.yaml b/config/samples/mysql_v1alpha1_mysqlcluster_podAntiAffinity.yaml
@@ -14,8 +14,6 @@ spec:
   # restoreFrom: 
   
   mysqlOpts:
-    rootPassword: "RadonDB@123"
-    rootHost: localhost
     user: radondb_usr
     password: RadonDB@123
     database: radondb
diff --git a/config/samples/mysql_v1alpha1_mysqluser.yaml b/config/samples/mysql_v1alpha1_mysqluser.yaml
@@ -1,13 +1,51 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  # Corresponding to the user's secretName
+  name: sample-user-password
+data:
+  # The key corresponding to the user's secretKey
+  # RadonDB@123
+  superUser: UmFkb25EQkAxMjM=
+  normalUser: UmFkb25EQkAxMjM=
+---
+apiVersion: mysql.radondb.com/v1alpha1
+kind: MysqlUser
+metadata:
+  name: super-user
+spec:
+  ## MySQL user name.
+  user: super_user
+  withGrantOption: true
+  tlsOptions: 
+    type: NONE
+  hosts: 
+    - "%"
+  permissions:
+    - database: "*"
+      tables:
+        - "*"
+      privileges:
+        - ALL
+  ## Specify the cluster where the user is located.
+  userOwner:
+    clusterName: sample
+    nameSpace: default
+  ## Specify the secret object for user.
+  secretSelector:
+    secretName: sample-user-password
+    secretKey: superUser
+---
 apiVersion: mysql.radondb.com/v1alpha1
 kind: MysqlUser
 metadata:
-  name: sample-user-cr
+  name: normal-user
 spec:
-  ## User to operate.
-  user: sample_user
+  ## MySQL user name.
+  user: normal_user
   withGrantOption: false
-  tlsOptions:
-    ## NONE/SSL/X509
+  tlsOptions: 
     type: NONE
   hosts: 
     - "%"
@@ -16,12 +54,12 @@ spec:
       tables:
         - "*"
       privileges:
-        - SELECT
+        - USAGE
   ## Specify the cluster where the user is located.
   userOwner:
     clusterName: sample
     nameSpace: default
   ## Specify the secret object for user.
   secretSelector:
     secretName: sample-user-password
-    secretKey: pwdForSample
+    secretKey: normalUser
diff --git a/config/samples/mysqluser_secret.yaml b/config/samples/mysqluser_secret.yaml
